Access Control Concepts

    +

    An introduction to the key concepts behind the provision of effective access control in Sync Gateway
    The sync function API provides several methods that you can use to validate and control user access to databases and documents.

    Access Control Model

    Concept

    You control document access by routing it to a channel and by making that channel accessible to the users or roles you want to be able to access documents of that type.

    Model

    In the Couchbase Mobile ecosystem access to documents is governed by three key entities: users, roles and channels.

    Access Control Model

    Access

    Conceptually, the channel can be considered as a tag associated with a document. Every document processed by the Sync Gateway is assigned to a channel (user-defined or system-defined). A channel is the fundamental way to segregate documents and for enforcing access control.

    Every Sync Gateway user is granted access to zero, one or more channels. It is the channels membership that determines the documents users can access — as illustrated in Access Control Model

    A Sync Gateway role is a way of logically grouping users. Like the channel, a role is granted access to zero, one or more channels.

    A user can only read documents that are in at least one of their assigned channels; whether directly or as part of an assigned role.

    Context

    You control document access by routing it to a channel and by making that channel accessible to the users or roles you want to be able to access documents of that type.

    Sync Gateway

    All users can implicitly access any document in the public channel. In addition, there can be user-defined channels that users can be assigned to.

    Once a user is granted access to a new channel, the next replication pull request from the client will retrieve all documents to which the user now has access.

    Revoking access to a channel means that users who previously used the channel to get replicated documents will no longer see any synced updates.

    Note that access grants neither confer, nor constrain, the type of access. Instead you can explicitly implement write access controls within the Sync Function; perhaps restricting updates to specific users or roles — for more on this see Control Write Access.

    Couchbase Lite

    By default, Couchbase Lite gets all the channels to which the configured user account has access. Optionally, a Couchbase Lite "pull" replication can also specify a comma-separated list of channel names to receive documents from. In this case, the replication from Sync Gateway will only pull documents tagged with those channels. Client apps can use this ability to intelligently sync with a subset of the available documents from the database.

    Channel Access Revocation

    3.0 Breaking Change
    Whenever a user loses access to a channel (or channels) all document in the channel(s) are auto-purged from local Couchbase Lite databases.
    In Sync Gateway 2.x these documents remain in the local database on channel access loss.

    Users may lose access to documents for many reasons, including:

    • The User loses direct access to channel

    • The User is removed from a role

    • A role the user belongs to is revoked access to channel

    By default, when a user loses access to a channel, the next Couchbase Lite Pull replication auto-purges all documents in the channel from local Couchbase Lite databases (on devices belonging to the user) unless they belong to any of the user’s other channels — see: Table 1.

    Table 1. Sync Gateway behavior following access revocation
    System State Impact on Sync

    Replication Type

    Access Control on Sync Gateway

    Expected behavior (auto-purge enabled- default)

    Pull only

    User revoked access to channel.

    Sync Function includes requireAccess(revokedChannel)

    Previously synced documents are auto purged on local

    Push only

    User revoked access to channel.

    Sync Function includes requireAccess(revokedChannel)

    No impact of auto-purge

    Documents get pushed but will be rejected by Sync Gateway

    Push-pull

    User revoked access to channel

    Sync Function includes requireAccess(revokedChannel)`

    Previously synced documents are auto purged on Couchbase Lite.

    Local changes continue to be pushed to remote but are rejected by Sync Gateway

    Provisioning

    • Channel — the channels topic discusses how channels are created and how documents can be assigned to channels.

    • User — the user topic discusses provisioning of users and providing users access to channels.

    • Role — the role topic discusses roles, assignment of users to roles created and providing roles access to channels.

    Channels

    Concept

    Sync Gateway uses Channels to make it easy to share a database’s documents across a large user base whilst retaining effective access control. They serve as a security conduit between the document and a user:

    Overview

    Every document in the database is assigned a list of channels it is distributed to. Every user (or role) is granted access to a list of channels. This dual-purpose is reflected in the way you use channels:

    • By granting a user access to a channel, you are imposing access control

    • By assigning a document to a channel you are imposing document routing

    You typically will use channels to:

    • Control who can access what

    • Partition your data set

    • Enable users to access just the documents they need

    • Minimize the amount of data synced to mobile devices

    Sync Gateway provides two special channels and a channel wildcard character.

    Use Case

    Consider the case where two users require, and are allowed, access to a private set of documents and one shared shared of documents — see Figure 1.

    Access Control using Channels
    Figure 1. Channels in Access Control

    In this case, each user is assigned to a private channel with a subset of documents that only the user can access and a shared channel that contains common documents. The users in this example could be replaced by roles.

    An example of this model could be a retail chain, where every store corresponds to a Sync Gateway User. Each store has a store specific channel that contains documents that are store specific like pricing, promotions, inventory etc. In addition, all the stores may need to have access to a common set of documents like retail locations, product catalog that are stored in a common shared channel.

    Configuration

    • Version 3.x

    • legacy

    Access Control Points 3.x
    1 Using the Admin REST API:
    You can provide the admin_channels property using the Admin REST API endpoint (/{tkn-db}/_user/{name}).
    2 Programmatically using Access Grant Document:
    The Sync Function provides a flexible and secure method for controlling document access and routing. You can program it to derive appropriate access and channel routing information from document properties.
    Optionally, the access grant can be specified via a designated extended attribute (XATTR) — see: Use XATTRs for Access Grants for how to define the XATTR.
    Access Control Points pre 3.x
    1 Using the Admin REST API : You can provide the admin_channels property using the Admin REST API endpoint (/{tkn-db}/_user/{name}).
    2 Programmatically using Access Grant Document:  The Sync Function provides a flexible and secure method for controlling document access and routing.
    You can program it to derive appropriate access and channel routing information from data embedded within document properties.
    3 File-based Configuration Properties: This is only available in 3.x and is typically used for dev/test environments. You can do it in the Sync Gateway JSON Configuration File (Database Configuration ) by adding the appropriate channel to the user’s admin_channels property — see: user admin_channels.

    System Channels

    Public Channel

    The Public Channel ('!') — is a channel for publicly available documents. It is ideal for use in making information available across the user community.

    You assign a document to the public (!) channel using the channel() function.

    Documents assigned to this channel can be accessed by all users; even users assigned no specific channel access.

    New users are automatically granted access to the channel.

    All Documents Channel

    The All Documents Channel ('*') [1] — is a single, internal channel, comprising all documents from all channels.

    Assignment to this channel is automatic and implicit. You cannot explicitly assign documents to the channel or remove documents from it.

    This channel should not be confused with the use of the All Channels Wildcard in access grants.

    All Channels Wildcard

    The All Channels Wildcard ('*') — used when granting user access, this wildcard grants access to any document in any channel.

    You make dynamic user access grants in the sync function using the access() method.

    Granting a user access with the all channels wildcard gives them access to any channel, and any document in any channel, including those from private channels.

    Replications by users with all channels wildcard access will pull all documents. Because of this potential for syncing large volumes of data (sync pulls all documents in the bucket), users with all channels wildcard access should use a channel filter to explicitly name the channel(s) to be sync’d.

    Note: Users granted access using the all channels wildcard do not inherit requireAccess() rights to any specific channel.

    Always use a filter in conjunction with the all channels wildcard, to avoid sync unnecessarily pulling large numbers of documents to mobile devices.

    You assign documents to channels in the Sync Function.

    Channels are created as documents are assigned to them.

    Valid channel names consist of text letters [A–Z, a–z], digits [0–9], and a few special characters [= + / . , _ @]. Channel names are case-sensitive. Channels with no documents assigned to them are empty.

    Channel Limits

    Table 2. Guidance on Channel Assignment Limits
    Element Limiting factor Guidance Limit (Channels)

    Channels per document

    The amount of memory consumed by the combined number of channels and access grants must fit within the maximum 1Mb xattr size limit — see: Table 3.

    50

    Channels per user

    The amount of memory consumed by channels must fit within the 20 MB available on Couchbase Server docs for storing metadata — see: Table 3
    Note that the memory is retained for as long as the replication remains active.

    1,000

    Sync Metadata Limits

    Every time a document is assigned to a new channel, the channel name is appended to that document’s sync metadata.

    Therefore, a document’s set of channels is limited by the allowed sync metadata size described in Table 3.

    Table 3. Size Limits for Sync Metadata
    Value of enable_shared_bucket_access Size (Mb per Document)

    false

    20

    true

    1

    Sync Gateway will assign a document to a new channel as long as the sync metadata remains under the allowed limit.

    What to do when your channel count exceeds the usable space for sync metadata?

    In order to lower the sync metadata size per document, you can do one of the following:

    • Lower the number of channels per document.

    • Shorten the channel names. A shorter channel name will occupy less space ("customer==0030169303" vs "cs==0030169303").

    • Lower the revs_limit value. Indeed, a copy of channel metadata is retained for each revision of a document.

    Users

    Concept

    Users are one of the cornerstone concepts of access control. You can restrict document access to specific users and-or to users with specific roles.

    As an entity a user comprises a name, password, list of Roles and a list of Channels.

    Sync Gateway Users

    Sync Gateway users and roles have no relationship to Couchbase Server’s RBAC (Role-based Access Control) users. They are created and operate solely within the Sync Gateway ecosphere to govern access to replication data and to the Public API.

    Users granted access to a Channel can access all documents assigned to that channel.

    Users can also be assigned to zero or more Roles. A user inherits the channel access of all roles it belongs to. This is very much like Unix groups, except that roles do not form a hierarchy.

    Sync Gateway user credentials can be used to authenticate access to the Public API; RBAC users are required for access to other API.

    RBAC Users

    Couchbase Server RBAC user credentials are required to authenticate and authorize access to the Admin and Metrics API. You will need to create these users on Couchbase server in order to enable access — see: Create RBAC users for how to and Security Authorization Overview for more on RBAC user authentication.

    Roles

    Concept

    Roles are named collections of Channels. They enable the grouping together of Users with similar characteristics, which makes the management of large user populations easier.

    Roles are granted access to channels. Any user assigned a role can access any channels (and documents within those channels) the role has been granted access to.

    As an entity, roles comprise a name and a list of channels.

    Any user associated with a role inherits the right to access any of the channels in the role’s list. This provides a convenient way to associate multiple channels with multiple users.

    Roles have a separate namespace from users, so it’s possible to have a user and a role with the same name.